![Sample our Law journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5942/TOC-Subject-Sample-2021-Law.jpg"})
ABSTRACT
The United Nations Economic Commission for Europe (UN ECE) has developed new aspects of its WP.29 agreement for harmonising vehicle regulations, focusing on the regulation of vehicle manufacturers’ approaches to ensuring vehicle cyber security by requiring implementation of an approved cyber security management system (CSMS). This paper investigates the background, framework and content of WP.29’s cyber security regulation. We provide an overall description of the processes required to become certified, discuss key gaps, issues and the impacts of implementation on stakeholders, and provide recommendations for manufacturers and the authorities who will oversee the operation. Putting the discussion into a broader theoretical framework on risk certification, we explore to the role of non-academic sources to shape public risk perception and to drive, for better or worse, legislative responses.
Disclosure statement
No potential conflict of interest was reported by the author(s).
Notes
1 A Tweet by Elon Musk. Retrieved from https://twitter.com/elonmusk/status/1198090787520598016
2 In February 2020, General Motors announced their withdrawal from the right-hand drive (RHD) markets of Australia, New Zealand and Thailand due in part to the high cost of making country-specific RHD vehicles for these small markets, and the claim that their two largest markets, the left-hand drive (LHD) markets of USA and China, were financially supporting RHD vehicle production.
3 CitationECSO, WG 1: Standardization certification labelling and supply chain management. Available at https://www.ecs-org.eu/documents/publications/5a3112ec2c891.pdf.
4 CitationFramework for Improving Critical Infrastructure Cybersecurity, Version 1.1.
Technical Report (2018), 10.6028/nist.cswp.04162018.
5 WP.29, Section 7.2.2.2 requires manufacturers to demonstrate that the processes they use ensure security and risks are adequately considered both in developing and applying the CSMS, and in the way they mitigate any cyber security issues identified in their organisation, supply chain or vehicles.
6 WP.29, Section 6.3 prescribes that documentation describing the CSMS is to be submitted by manufacturers to the Approving Authority. However, it does not go on to lay out the format or granular content of that CSMS documentation.
7 A footnote to Section 5.3.1(a) provides ISO 26262-2018, ISO/PAS 21448 and ISO/SAE 21434 as examples that offer suitable standards of knowledge for CSMS.
8 WP.29, Section 5.3.
9 In many jurisdictions, annual vehicle maintenance safety checks are mandated as part of the registration process for a motor vehicle. For example, in Australia these are referred to as a roadworthiness check, in the UK they are known as an MOT test, and in New Zealand they are described as a warrant of fitness.
10 ECE/TRANS/WP.29/2020/79 Revised, Section 5.1.1.
11 Ibid., Section 5.1.2.
12 Ibid.
13 Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation. Available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32012R1025
14 For example: the Roads and Traffic Authority (RTA) in NSW, Australia; New Zealand Transport Agency (NZTA); and Driver and Vehicle Licensing Authority (DVLA) in the United Kingdom.
15 WP.29, Section 5.1.3(b).
16 WP.29, Section 5.1.3(c).
17 WP.29, Section 5.3.
18 WP.29, Section 5.1.3(a).
19 Box ticking manifests itself firstly, by companies complying with the letter rather than the spirit of the provisions, and, second, by companies not utilising the inherent flexibility of the code to implement their optimum firm-specific governance structures by explaining rather than complying.
20 For example, Chrysler and Dodge have continued to offer model year updated versions of the 2008 Dodge Caravan/Voyager and Dodge Journey vehicles well into 2020, meaning that these vehicle TYPEs remained in production with various model year facelifts for over 12 years. Australia’s General Motors brand, Holden, released the VE commodore in 2006 and through a number of facelifts and rebadging as the VF it was offered for sale until quite late in 2017; an 11-year production run. In all cases these vehicles received additional options and technologies during their prolonged sales periods, including several sophisticated ADAS systems.
21 Like anti-lock brakes, blind-spot detection, forward collision mitigation or lane keeping.
22 Report of the select committee appointed to consider of the means of preventing the mischief of explosion from happening on board steam-boats, to the danger or destruction of His Majesty’s subjects on board such boats. Available at https://hdl.handle.net/2027/nyp.33433010754467
23 Land Rover’s InControl App. Available at https://www.landrover.com.au/ownership/incontrol/connectivity/incontrol-remote-premium.html